Rhadamanthys (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.rhadamanthys (Back to overview)

Rhadamanthys

Actor(s): Sandworm

VTCollection

According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.

At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.

References

2025-03-28 ⋅ Trend Micro ⋅ Ahmed Mohamed Ibrahim, Aliakbar Zahravi
A Deep Dive into Water Gamayun’s Arsenal and Infrastructure
DarkWisp SilentPrism Kematian Stealer Rhadamanthys Stealc Water Gamayun

2025-03-14 ⋅ Twitter (@CERTCyberdef) ⋅ Alexandre Matousek, Marine PICHON
Tweet on Emmenhtal v3
Emmenhtal Lumma Stealer Rhadamanthys

2025-03-06 ⋅ Outpost24 ⋅ KrakenLabs
Unveiling EncryptHub: Analysis of a multi-stage malware campaign
Rhadamanthys

2025-01-10 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update July to December 2024
Coper FluBot Hook Mirai FAKEUPDATES AsyncRAT BianLian Brute Ratel C4 Cobalt Strike DanaBot DCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver Stealc

2025-01-04 ⋅ revdiaries.com ⋅ heapoverflow
"Solara" Roblox Executor Malware
Rhadamanthys

2024-11-06 ⋅ Check Point Research ⋅ Check Point Research
CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits
Rhadamanthys

2024-10-23 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Holger Unterbrink, Jordyn Dunk, Nicole Hoffman
Highlighting TA866/Asylum Ambuscade Activity Since 2021
WasabiSeed Cobalt Strike csharp-streamer RAT Resident Rhadamanthys WarmCookie

2024-10-17 ⋅ Sekoia ⋅ Quentin Bourgue, Sekoia TDR
ClickFix tactic: The Phantom Meet
Rhadamanthys Stealc

2024-09-26 ⋅ Recorded Future ⋅ Insikt Group
Rhadamanthys Stealer Adds Innovative AI Feature in Version 0.7.0
Rhadamanthys

2024-07-25 ⋅ Symantec ⋅ Symantec
Growing Number of Threats Leveraging AI
Broomstick DBatLoader NetSupportManager RAT Rhadamanthys

2024-07-24 ⋅ Check Point Research ⋅ Antonis Terefos
Stargazers Ghost Network
Atlantida Lumma Stealer RedLine Stealer Rhadamanthys RisePro Stargazer Goblin

2024-07-14 ⋅ Medium b.magnezi ⋅ 0xMrMagnezi
Malware Analysis - Rhadamanthys
Rhadamanthys

2024-07-09 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update January to June 2024
Coper FluBot Hook Bashlite Mirai FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc NjRAT QakBot Quasar RAT RedLine Stealer Remcos Rhadamanthys RisePro Sliver

2024-06-17 ⋅ Recorded Future ⋅ Insikt Group
The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications
AMOS Rhadamanthys Stealc Markopolo

2024-04-10 ⋅ Proofpoint ⋅ Selena Larson, Tommy Madjar
Security Brief: TA547 Targets German Organizations with Rhadamanthys Stealer
Rhadamanthys

2024-01-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver

2023-12-14 ⋅ Checkpoint ⋅ hasherezade
Rhadamanthys v0.5.0 – A Deep Dive into the Stealer’s Components
Rhadamanthys

2023-10-27 ⋅ Elastic ⋅ Joe Desimone, Salim Bitam
GHOSTPULSE haunts victims using defense evasion bag o' tricks
HijackLoader Lumma Stealer NetSupportManager RAT Rhadamanthys SectopRAT Vidar

2023-10-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar

2023-10-03 ⋅ Outpost24 ⋅ David Catalan
Rhadamanthys malware analysis: How infostealers use VMs to avoid analysis
Rhadamanthys

2023-09-25 ⋅ EchoCTI ⋅ Bilal BAKARTEPE, bixploit
Rhdamanthys Technical Analysis Report
Rhadamanthys

2023-08-31 ⋅ Checkpoint ⋅ hasherezade
From Hidden Bee to Rhadamanthys - The Evolution of Custom Executable Formats
Hidden Bee Rhadamanthys

2023-07-11 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee

2023-06-15 ⋅ eSentire ⋅ RussianPanda
eSentire Threat Intelligence Malware Analysis: Resident Campaign
Cobalt Strike Resident Rhadamanthys WarmCookie

2023-05-16 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
The Growing Threat from Infostealers
Graphiron GraphSteel Raccoon RedLine Stealer Rhadamanthys Taurus Stealer Vidar

2023-04-19 ⋅ Google ⋅ Billy Leonard, Google Threat Analysis Group
Ukraine remains Russia’s biggest cyber focus in 2023
Rhadamanthys

2023-04-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar

2023-03-27 ⋅ Check Point Research ⋅ Checkpoint Research
Rhadamanthys: The “Everything Bagel” Infostealer
Rhadamanthys

2023-02-21 ⋅ Zscaler ⋅ Nikolaos Pantazopoulos, Sarthak Misraa
Technical Analysis of Rhadamanthys Obfuscation Techniques
Rhadamanthys

2023-01-16 ⋅ Medium elis531989 ⋅ Eli Salem
Dancing With Shellcodes: Analyzing Rhadamanthys Stealer
Rhadamanthys

2023-01-12 ⋅ Cybleinc ⋅ Cyble
Rhadamanthys: New Stealer Spreading Through Google Ads
Rhadamanthys

2023-01-03 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
2023-01-03 (TUESDAY) - GOOGLE AD --> FAKE NOTPAD++ PAGE --> RHADAMANTHYS STEALER
Rhadamanthys

2022-12-05 ⋅ Accenture ⋅ Paul Mansfield, Thomas Willkan
Popularity spikes for information stealer malware on the dark web
MetaStealer Rhadamanthys

2022-10-06 ⋅ ThreatMon ⋅ ThreatMon Malware Research Team
Rhadamanthys Stealer Analysis
Rhadamanthys

Yara Rules

[TLP:WHITE] win_rhadamanthys_auto (20241030 | Detects win.rhadamanthys.)

rule win_rhadamanthys_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.rhadamanthys."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33f0 33fa 891ccd28100803 8bde 892ccd2c100803 8bef }
            // n = 6, score = 100
            //   33f0                 | xor                 esi, eax
            //   33fa                 | xor                 edi, edx
            //   891ccd28100803       | mov                 dword ptr [ecx*8 + 0x3081028], ebx
            //   8bde                 | mov                 ebx, esi
            //   892ccd2c100803       | mov                 dword ptr [ecx*8 + 0x308102c], ebp
            //   8bef                 | mov                 ebp, edi

        $sequence_1 = { 33f0 891ccd30280803 892ccd34280803 33fa 8bde 8bef 0fa4f708 }
            // n = 7, score = 100
            //   33f0                 | xor                 esi, eax
            //   891ccd30280803       | mov                 dword ptr [ecx*8 + 0x3082830], ebx
            //   892ccd34280803       | mov                 dword ptr [ecx*8 + 0x3082834], ebp
            //   33fa                 | xor                 edi, edx
            //   8bde                 | mov                 ebx, esi
            //   8bef                 | mov                 ebp, edi
            //   0fa4f708             | shld                edi, esi, 8

        $sequence_2 = { 0facdf08 81e7ff000000 3304fd28400803 3314fd2c400803 c1e918 }
            // n = 5, score = 100
            //   0facdf08             | shrd                edi, ebx, 8
            //   81e7ff000000         | and                 edi, 0xff
            //   3304fd28400803       | xor                 eax, dword ptr [edi*8 + 0x3084028]
            //   3314fd2c400803       | xor                 edx, dword ptr [edi*8 + 0x308402c]
            //   c1e918               | shr                 ecx, 0x18

        $sequence_3 = { c1e608 33f0 891ccd28280803 892ccd2c280803 33fa }
            // n = 5, score = 100
            //   c1e608               | shl                 esi, 8
            //   33f0                 | xor                 esi, eax
            //   891ccd28280803       | mov                 dword ptr [ecx*8 + 0x3082828], ebx
            //   892ccd2c280803       | mov                 dword ptr [ecx*8 + 0x308282c], ebp
            //   33fa                 | xor                 edi, edx

        $sequence_4 = { 66837e082c 0f8692000000 6a04 6800100000 6800004000 }
            // n = 5, score = 100
            //   66837e082c           | cmp                 word ptr [esi + 8], 0x2c
            //   0f8692000000         | jbe                 0x98
            //   6a04                 | push                4
            //   6800100000           | push                0x1000
            //   6800004000           | push                0x400000

        $sequence_5 = { 03c6 50 8b03 034508 50 e8???????? }
            // n = 6, score = 100
            //   03c6                 | add                 eax, esi
            //   50                   | push                eax
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   034508               | add                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_6 = { c784248c01000068ea0303 c7842490010000b4190403 c784249401000070490403 c784249801000018770403 c784249c01000058a20403 c78424a001000010d30403 c78424a401000034010503 }
            // n = 7, score = 100
            //   c784248c01000068ea0303     | mov    dword ptr [esp + 0x18c], 0x303ea68
            //   c7842490010000b4190403     | mov    dword ptr [esp + 0x190], 0x30419b4
            //   c784249401000070490403     | mov    dword ptr [esp + 0x194], 0x3044970
            //   c784249801000018770403     | mov    dword ptr [esp + 0x198], 0x3047718
            //   c784249c01000058a20403     | mov    dword ptr [esp + 0x19c], 0x304a258
            //   c78424a001000010d30403     | mov    dword ptr [esp + 0x1a0], 0x304d310
            //   c78424a401000034010503     | mov    dword ptr [esp + 0x1a4], 0x3050134

        $sequence_7 = { 837df400 0f84a0010000 8365e400 eb07 8b45e4 }
            // n = 5, score = 100
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0
            //   0f84a0010000         | je                  0x1a6
            //   8365e400             | and                 dword ptr [ebp - 0x1c], 0
            //   eb07                 | jmp                 9
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_8 = { 5e 5b c9 c20c00 8b4c2404 8a01 }
            // n = 6, score = 100
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c20c00               | ret                 0xc
            //   8b4c2404             | mov                 ecx, dword ptr [esp + 4]
            //   8a01                 | mov                 al, byte ptr [ecx]

        $sequence_9 = { c7842418020000383f0403 c784241c020000c46c0403 c7842420020000449a0403 c784242402000034ca0403 c7842428020000fcf90403 c784242c020000182b0503 }
            // n = 6, score = 100
            //   c7842418020000383f0403     | mov    dword ptr [esp + 0x218], 0x3043f38
            //   c784241c020000c46c0403     | mov    dword ptr [esp + 0x21c], 0x3046cc4
            //   c7842420020000449a0403     | mov    dword ptr [esp + 0x220], 0x3049a44
            //   c784242402000034ca0403     | mov    dword ptr [esp + 0x224], 0x304ca34
            //   c7842428020000fcf90403     | mov    dword ptr [esp + 0x228], 0x304f9fc
            //   c784242c020000182b0503     | mov    dword ptr [esp + 0x22c], 0x3052b18

    condition:
        7 of them and filesize < 1111040
}

Download all Yara Rules

Rhadamanthys Propose Change

References

Yara Rules

Rhadamanthys